Government of Canada
Symbol of the Government of Canada

Revised Draft 2nd Edition of the TCPS (December 2009)

Chapter 5

PRIVACY AND CONFIDENTIALITY

There is widespread agreement about the interests of research participants in protection of privacy and the corresponding duties of researchers to treat personal information in a confidential manner. Indeed, the respect for privacy in research is an internationally recognized norm and ethical standard. Fundamental rights and freedoms in the Canadian Constitution have been interpreted by courts to include privacy protections. Privacy rights are also protected in federal and provincial/territorial legislation. Model voluntary codes1 have also been adopted to govern access to, and the protection of, personal information. Some professional organizations have also established codes that establish the conditions and obligations of their members regarding collection, use and disclosure of personal information.

Privacy risks in research relate to the identifiability of participants and the potential harms they, or groups to which they belong, may experience from collection, use and disclosure of personal information. Privacy risks arise at all stages of the research life cycle, including initial collection of information, use and analysis to address research questions, dissemination of research results, storage and retention of information, and disposal of records or devices on which information is stored.

This Policy is based on a proportionate approach to ethical assessment of research. Researchers and research ethics boards (REBs) should identify and mitigate privacy risks, keeping in mind that a matter that is not sensitive or embarrassing for the researcher may be so for the participant.

In addition to guidance provided in this Policy, researchers are responsible for compliance with all applicable legal and regulatory requirements with respect to protection of privacy and consent for the collection, use or disclosure of information about participants. These requirements may vary by jurisdiction and, depending on who is funding/conducting the research, may consist of obligations under the Constitution (including the Canadian Charter of Rights and Freedoms), and federal or provincial privacy legislation, among other legal and regulatory requirements.

A.    Key Definitions and Principles

Privacy

Privacy refers to an individual’s right to be free from intrusion or interference by others. It is a fundamental right in a free and democratic society. Individuals have privacy interests in relation to their bodies, personal information, thoughts and opinions, personal communications with others and spaces they occupy. Research affects these various domains of privacy in different ways, depending on its objectives and methods. An important aspect of privacy is the right to control information about oneself. The concept of consent is related to the right to privacy. Privacy is respected if an individual has an opportunity to exercise control over personal information by consenting to, or withholding consent for, collection, use and/or disclosure of information. (See Chapter 3 for further discussion of consent).

Confidentiality

The ethical duty of confidentiality refers to the obligation of an individual or organization to safeguard information entrusted to it by another. The ethical duty of confidentiality includes obligations to protect information from unauthorized access, use, disclosure, modification, loss or theft. Fulfilling the ethical duty of confidentiality is essential to the trust relationship between researcher and research participant, and to the integrity of the research enterprise.

Security

Security refers to measures used to protect information. It includes physical, administrative and technical safeguards. An individual or organization fulfils its confidentiality duties, in part, by adopting and enforcing appropriate security measures. Physical safeguards include the use of locked filing cabinets and the location of computers containing research data away from public areas. Administrative safeguards include the development and enforcement of organizational rules about who has access to personal information about research participants. Technical safeguards include use of computer passwords, firewalls, anti-virus, encryption and other measures that protect data from unauthorized access, loss or modification.

Types of Information

Researchers may seek to collect, use, share and access different types of information about research participants. Such information may include personal characteristics, such as age, culture, educational background, employment history, health care, life experience, religion, social status or other matters where an individual has a reasonable expectation of privacy.

Information may be categorized along a spectrum of identifiability. For the purposes of this Policy, researchers and REBs must consider if information proposed for use in research is identifiable or non-identifiable.

Information is identifiable if it, alone or when combined with other information available to the person who receives it, can reasonably be expected to identify an individual. The term “personal information” generally denotes identifiable information about an individual.

The following categories help explain the spectrum of identifiability for the purposes of this Policy:

  • Directly identifying information – the information identifies a specific individual through direct identifiers (e.g. name, social insurance number, personal health number).

  • Indirectly identifying information – the information can reasonably be expected to identify an individual through a combination of indirect identifiers (e.g. date of birth, place of residence or unique personal characteristic).

  • De-identified/coded information – direct identifiers are removed and replaced with a code. Depending on access to the code, it may be possible to re-identify specific research participants (e.g. participants are assigned a code name and the principal investigator retains a list that links the code name with the participant’s actual name so data can be re-linked if necessary).

  • Anonymized information – information is irrevocably stripped of identifiers, and a code is not kept to allow future re-linkage.

  • Anonymous information – information never had identifiers associated with it (e.g. anonymous surveys).

Ethical concerns regarding privacy decrease as it becomes more difficult or impossible to associate information with a particular individual. These concerns also vary with the sensitivity of the information and the extent to which access, use or disclosure may harm an individual or group by exposing them to embarrassment, stigmatization, discrimination or other detriments.

Collection and use of anonymous data in research is the easiest way to protect participants, although this is not always possible or desirable. A “next best” alternative is to anonymize or de-identifythe data at the earliest opportunity. While these measures often protect participants from identification, use of de-identified/coded or anonymized information for research may present risks of re-identification.

Technological developments increase the ability to access, store, and analyze large volumes of data. These activities may heighten risks of re-identification, such as when researchers link datasets, as discussed in Section E of this chapter, or where a dataset contains information about a population in a small geographical area or individuals with unique characteristics (e.g. uncommon field of occupational specialization, diagnosis with a very rare disease). Various factors affect the risk of re-identification2 and researchers and REBs should be vigilant to consider and reduce risks of re-identification.

Failing the feasibility of using anonymous or anonymized data for research (and there are many reasons why data may need to be gathered and retained in an identifiable form), the ethical duty of confidentiality and appropriate measures to safeguard information become paramount. This Policy generally requires more stringent protections in research involving identifiable information. Researchers should consult their REB if they are uncertain about whether information proposed for use in research is identifiable – for example, when proposing to link de-identified datasets.

B.    The Ethical Duty of Confidentiality

Article 5.1 Researchers shall safeguard information entrusted to them and not misuse or wrongfully disclose it.

Application When researchers obtain information with a promise of confidentiality, they assume an ethical duty that is central to respect for research participants and the integrity of the research enterprise. Breaches of confidentiality may harm the participant, the trust relationship between the researcher and the participant, other individuals or groups, and/or the reputation of the research community. Research that probes sensitive topics (e.g. illegal activities) generally depends on strong promises of confidentiality to establish trust with participants.

The ethical duty of confidentiality applies to information obtained directly from participants or from other researchers or organizations that have legal, professional or other obligations to maintain confidentiality.

The ethical duty of confidentiality must, at times, be balanced against legal or professional requirements, or competing ethical considerations, that call for disclosure of information obtained or created in a research context. For example, in exceptional and compelling circumstances, researchers may be subject to obligations to report information to authorities to protect the health, life or safety of a research participant or third party. Researchers should be aware of laws (such as laws that require reporting of children in need of protection) or ethical codes (such as professional codes of conduct) that may require disclosure of information they obtain in a research context. In other situations, a third party may seek access to information obtained and/or created in confidence in a research context. An access request may seek voluntary disclosure of information or may seek to compel disclosure through force of law (e.g. by subpoena). Chapter 1, Section C elaborates on research ethics and law.

Certain areas of research (such as research involving children at risk of abuse or study of criminal behaviour) are more likely to put researchers in positions where they may experience tension between the ethical duty of confidentiality and disclosure to third parties. Researchers shall maintain their promise of confidentiality to research participants within the extent permitted by law and/or ethical principles. This may involve resisting requests for access, such as opposing court applications seeking disclosure. Researchers’ conduct in such situations should be assessed on a case-by-case basis and guided by consultation with colleagues, any relevant professional body, the REB, and/or legal counsel. Institutions should support their researchers in maintaining promises of confidentiality.

In some instances, participants may waive confidentiality, for example, if they wish to be identified for their contributions to the research. In such situations, researchers should negotiate agreement with participants about how participants may be identified to recognize their contribution. Where an individual participant waives confidentiality but other members of the participant group object because identification may cause harm to the group, researchers shall maintain confidentiality. (See Articles 3.2 (f) and 10.5).

Article 5.2 Researchers shall describe measures for meeting confidentiality obligations and explain any reasonably foreseeable disclosure requirements:

(a) in application materials they submit to the REB; and

(b)  during the consent process with potential research participants.

Application This article recognizes that some research investigations are more likely to put researchers in a position where they may have a requirement to disclose information to third parties. The reasonable foreseeability of disclosure requirements can be assessed by considering the nature and objectives of the research inquiry. For example, research that involves interviewing high risk families about inter-generational violence raises a reasonably foreseeable prospect that researchers may acquire information that a child is being abused. Researchers who reasonably foresee that their inquiries may give rise toa legal or ethical reason to disclose information obtained in the research context shall advise the REB and potential participants about the possibility of compelled disclosure. Advising participants of reasonably foreseeable disclosure requirements is an important aspect of consent.

Situations may arise where researchers unexpectedly acquire information that gives rise to a reason for disclosure to a third party, or researchers may receive a disclosure demand from a third party. In such cases, advising a participant about the disclosure may be important to respect the trust relationship with the participant and to ensure the participant’s ongoing consent. Decisions about whether, how and when to advise a participant of disclosure should be guided by any applicable disciplinary standards and consultation with the REB, colleagues, professional body and/or legal counsel.

Researchers shall also inform participants and seek consent from participants if personal information might be provided to government departments or agencies, community partners in the research, personnel from an agency that monitors the research, a research sponsor (such as a pharmaceutical company), the REB or a regulatory agency.

Researchers should avoid being put in a position of becoming informants for authorities or leaders of organizations. For example, when records of prisoners, employees, students or others are used for research purposes, the researcher should not provide authorities with results that could identify individuals unless the prior written consent of the participants is obtained. Researchers may, however, provide administrative bodies with aggregated data that cannot be linked to individuals, for purposes such as policy-making or program evaluation. To seek consent, researchers should advise potential participants if aggregated data from a study may be disclosed, particularly where such disclosure may pose a risk to the participants. For example, aggregate data provided to authorities about research on illicit drug use in a penitentiary may pose risks to the prisoners, even though they are not identified individually.

When designing their research, researchers should incorporate any applicable statute-based or other legal principles that may afford protection for the privacy of participants and confidentiality of research information.

C.    Safeguarding Information

Article 5.3 Researchers shall provide details to the REB regarding their proposed measures for safeguarding information, for the full life cycle of information – that is, its collection, use, dissemination, retention and/or disposal.

Application Researchers shall assess privacy risks and threats to the security of information for all stages of the research life cycle and implement appropriate measures to protect information. Safeguarding information helps respect the privacy of research participants and helps researchers fulfill their confidentiality obligations. In adopting measures to safeguard information, researchers should follow disciplinary standards and practices for the collection and protection of information for research purposes. Formal privacy impact assessments are required in some institutions and under legislation or policy in some jurisdictions. Security measures should take into account the nature, type and state of data (e.g. paper records or electronic data stored on a mobile device, whether information contains direct or indirect identifiers, whether data is in transit and more vulnerable to unauthorized access). Measures for safeguarding information apply both to original documents and copies of information.

Factors relevant to the REB’s assessment of the adequacy of the researchers’ proposed measures for safeguarding information include:

(a)     the type of information to be collected;

(b)     the purpose for which the information will be used, and purpose of any secondary use of identifiable information;

(c)     limits on the use, disclosure and retention of the information;

(d)     risks of re-identification of individuals;

(e)     appropriate security safeguards for the full life cycle of information;

(f)     any recording of observations(e.g. photographs, videos, sound recordings) in the research that may allow identification of particular participants;

(g)     any anticipated uses of personal information from the research; and

(h)     any anticipated linkage of data gathered in the research with other data about participants, whether those data are contained in public or personal records. (See also Section E).

In considering the adequacy of proposed measures for safeguarding information during its full life cycle, REBs should not automatically impose a requirement that researchers destroy the research data. Stored information may be useful for a variety of future purposes. Appropriate data retention periods vary depending on the research discipline, research purpose and kind of data involved. In some situations, formal data sharing with participants may occur – for example, by giving individual participants copies of a recording or transcript as a gift for personal, family or other archival use. Similarly, some funding bodies, such as the Social Sciences and Humanities Research Council and the Canadian Institutes of Health Research, have specific policies on data archiving and sharing.3 Researchers should address how the participant’s information will be handled if participants choose to withdraw from research.

In disseminating research results, researchers should not disclose direct identifiers without the consent of research participants. Researchers should take reasonable measures to ensure against inadvertent identification of individuals or groups in publications or other means of dissemination, and they must address this issue to the satisfaction of the REB.

Consideration of future uses of personal information refers not just to research, but also to other purposes, such as the future use of research materials for educational purposes.

Research data sent over the Internet may require encryption or use of special denominalization software to prevent interception by unauthorized persons or other risks to data security. In general, identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted.

Article 5.4 Institutions or organizations where research data are held have a responsibility to establish appropriate institutional security safeguards.

Application In addition to the security measures researchers implement to protect data, safeguards put in place at the institutional or organizational level also provide important protection. Such data security safeguards should include physical, administrative and technical measures and should address the full life cycle of information. This includes institutional or organizational safeguards for information while it is currently in use by researchers and for any long-term retention of information.

D.    Consent and Secondary Use of Identifiable Information for Research Purposes

Secondary use refers to the use in research of information originally collected for a purpose other than the current research purpose. Common examples are social science or health survey datasets that are collected for specific research or statistical purposes, but then re-used to answer other research questions. Information initially collected for program evaluation may be useful for subsequent research. Other examples include health care records, school records, biological specimens, vital statistics registries or unemployment records, originally created or collected for therapeutic, educational or administrative purposes, but later sought for use in research. Chapter 12 provides further guidance on research involving secondary use of previously collected human biological materials.

Secondary use avoids duplication in primary collection and therefore reduces burdens and costs for participants and researchers. Privacy concerns and questions about the need to seek consent arise, however, when information provided for secondary use in research can be linked to individuals and when the possibility exists that individuals can be identified in published reports or through data linkage. Privacy legislation recognizes these concerns and permits secondary use of identifiable information under certain circumstances.

Article 5.5  Researchers who seek a waiver of consent for secondary use of identifiable information in research shall satisfy the REB that:

(a) identifiable information is essential to the research;

(b) the waiver is unlikely to adversely affect the welfare of individuals to whom the information relates;

(c) the researchers will take appropriate measures to protect the privacy of individuals and to safeguard the identifiable information;

(d) the researchers will comply with any known preferences previously expressed by individuals about uses of their information;

(e) it is impossible or impracticable to seek consent from individuals to whom the information relates; and

(f) the researchers have obtained any other necessary (e.g. legal) permission for secondary use of information for research purposes.

If a researcher satisfies all the conditions in Article 5.5(a) to (f), the REB may approve the research without requiring consent from the individuals to whom the information relates.

Application This Policy does not require that researchers seek consent from individuals for the secondary use of non-identifiable information. However, consent must be sought where researchers propose to use identifiable information, unless the researcher satisfies all the requirements in Article 5.5. The waiver of consent in this article is specific to secondary use of identifiable information. The terms of Article 3.7 addresses alteration and waiver of consent in other circumstances and does not apply here.

Secondary use of information identifiable as originating from a specific Aboriginal community, or a segment of the Aboriginal community at large, is addressed in Article 9.2.4

“Impracticable” refers to undue hardship or onerousness such that the conduct of the research is jeopardized; it does not mean mere inconvenience. Consent may be impossible or impracticable when the group is very large or its members are likely to be deceased, geographically dispersed or difficult to track. Attempting to track and contact members of the group may raise additional privacy concerns. Financial, human and other resources required to contact individuals and seek consent may impose undue hardship. In some jurisdictions, privacy laws may preclude researchers from using personal information to contact individuals to seek their consent for secondary use of information.5

Privacy laws may also impose specific rules regarding disclosure of information for secondary use in research. These laws may require the individual or organization that has custody or control of requested personal information to obtain approval from a privacy commissioner or other body before disclosing information to researchers, and may impose additional requirements such as information sharing agreements that describe disclosure conditions. Such conditions may include the requirement that the researcher not publish identifiable information or contact individuals to whom the information relates.Researchers should be aware of relevant laws that regulate disclosure of information for research purposes.

At the time of initial collection, individuals may have had an opportunity to express preferences about future uses of personal information, including research uses. Researchers and REBs shall respect any known preferences. For example, where possible, identifiable information about individuals who have expressed objection to future use should be removed from the dataset before researchers use it for approved research.

An REB may require that researchers engage in discussion with representatives of individuals or groups to whom the information relates where the proposed research involves information of greater sensitivity (e.g. genetic information, information about persons who seek help through domestic violence shelters, or information about sexual practices). Discussion is not intended as proxy consent. Rather, a goal of discussion is to seek input regarding the proposed research, such as the design of the research, measures for privacy protection and potential uses of research findings. Discussion may also be useful to determine that the research will not adversely affect the welfare of individuals to whom the information relates. Researchers should advise the REB of outcomes of such discussion and the REB may require modifications to the research proposal based on the feedback.

Article 5.6 When secondary use of identifiable information without consent has been approved under Article 5.5, researchers who propose to contact individuals for additional information shall, prior to contact, seek REB approval of the plan for making contact.

Application In certain cases, a research goal may be achieved only through follow up contact with individuals to collect additional information. Under Article 5.5, the REB may have approved secondary use without consent based, in part, on the impossibility or impracticability of seeking consent. Where contact with a sub-group is feasible, researchers may subsequently wish to attempt to make contact with some individuals to obtain additional information. Contact with individuals whose previously collected information has been approved for secondary use in research raises privacy concerns. Individuals might not want to be contacted by researchers or might be upset that identifiable information was disclosed to researchers without their consent. The research benefits of follow-up contact must clearly outweigh the risks to individuals of follow-up contact, and the REB must be satisfied that the proposed manner of follow-up contact minimizes risks for individuals. The proposed plan should explain who will contact individuals to invite their participation in the research (e.g. a representative of the organization that holds the individual’s information) and the nature of their relationship with those individuals. Researchers will need to seek consent from these individuals for any new data collection. Article 3.1 provides further guidance on consent and approaches to recruitment.

E.    Data Linkage

Article 5.7 Researchers who propose to engage in data linkage shall obtain REB approval prior to carrying out the data linkage, unless the research relies exclusively on publicly available information as discussed in Article 2.2. The application for approval shall describe the data that will be linked and the likelihood that identifiable information will be created through the data linkage.

Where data linkage involves or is likely to produce identifiable information, researchers shall satisfy the REB that:

(a) the data linkage is essential to the research; and

(b) appropriate security measures will be implemented to safeguard information.

Application Growing numbers of databases and advancing technological capacity to link databases create new research opportunities, but also new privacy risks. In particular, linkage of de-identified or anonymized databases may permit re-identification of individuals. This article provides guidance for researchers who propose to carry out data linkage and requires that they assess and mitigate risks of re-identification. Only a restricted number of individuals should perform the function of merging databases. Researchers should use enhanced security measures to store the merged file.

Where researchers seek access to datasets held by another organization, it may be preferable for the data holder to carry out the data linkage and remove identifiers before disclosing the merged dataset.

Legislation and organizational policies may regulate data linkage in specific circumstances. For example, some personal information protection legislation require data sharing agreements that regulate conditions under which data linkage may be carried out. Data holders, such as statistics agencies, may also have policies on data linkage.6

Where researchers propose to access and link datasets of identifiable information for the secondary purpose of research, the requirements of Section D apply.

 


Endnotes


[1] See, for example, the Canadian Standards Association’s Model Code for the Protection of Personal Information, (1996)

[2] For discussion of factors relevant to assessing impracticability of consent, see, for example, the Canadian Institutes of Health Research Best Practices for Protecting Privacy in Health Research (September 2005), Section 3.3 “Secondary Use,” pp. 38 – 41.

[3] See the SSHRC Research Data Archiving Policy, www.sshrc-crsh.gc.ca/site/apply-demande/policies-politiques/edata-donnees_electroniques-eng.aspx and the CIHR Policy on Access to Research Outputs, (September 2007), www.cihr-irsc.gc.ca/e/34846.html

[4] See also the Canadian Institutes of Health Research Guidelines for Health Research Involving Aboriginal People, (May 2007), www.cihr-irsc.gc.ca/e/29134.html

[5] For discussion of factors that affect risks of re-identification, see Khaled El-Emam, Overview of Factors Affecting the Risk of Re-identification in Canada (Report written for the Access to Information and Privacy Division of Health Canada, May 8, 2006), www.ehealthinformation.ca/documents/HealthCanadaReidReport.pdf

[6] See, for example, Statistics Canada’s Policy on Record Linkage: www.statcan.gc.ca/record-enregistrement/policy4-1-politique4-1-eng.htm